General Computer/Android Help, News & Info + New TechnologyFind All The Latest Reports/Reviews in Here.
Start a New Thread in Here if You Need Help
IMPORTANT ANNOUNCEMENT
Hallo to All Members. As you can see we regularly Upgrade our Servers, (Sorry for any Downtime during this).
We also have added more Forums to help you with many things and for you to enjoy.
We now need you to help us to keep this site up and running. This site works at a loss every month and
we appeal to you to donate what you can.
If you would like to help us, then please just send a message to any Member of Staff for info on how to do this,,,, & Thank You for Being Members of this site.
Flame Virus: How to Check if You Are Infected With Malware
C/P
By MATTHEW CHAPMAN:
Kaspersky Lab has taken a look at the code for the Flame Virus and has started to map some of the qualities of this malicious malware.
Using the information collected so far it is possible to find out if a computer has been infected.
"The main module of Flame is a DLL file called mssecmgr.ocx," Alexander Gostev, chief security expert at Kaspersky Lab, revealed in a blog post.
"We've discovered two modifications of this module. Most of the infected machines contained its 'big' version, 6Mb in size, and carrying and deploying additional modules. The smaller version's size is only 900Kb and contains no additional modules. After installation, the small module connects to one of the C&C servers and tries to download and install the remaining components from there."
Gostev said the Mssecmgr file may be called different names on infected machines, depending on the method of infection and the current internal state of the malware (installation, replication, upgrade). For example, it could be called wavesup3.drv, ~zff042.ocx or msdclr64.ocx.
Step 1
Perform a search for the file ~DEB93D.tmp. Its presence on a system means that it either is or has been infected by Flame.
Step 2
Check the registry key HKLM_SYSTEMCurrentControlSetControlLsa Authentication Packages. If you find mssecmgr.ocx or authpack.ocx in there - you are infected with Flame.
Step 3
Check for the presence of the following catalogues. If they are present - you are infected.
Conduct a search for the rest of the filenames listed below. All of them are unique and if they are discovered there is a strong possibility of a Flame Virus infection.
Kaspersky Lab's detailed look at the functionality of the malware shows that it contains a number of different elements, all with specific jobs.
For example, the Beetlejuice unit can use Bluetooth to turn your computer into a 'beacon' and announces it as a discoverable device. Meanwhile, the Weasel unit creates a directory listing of the infected computer.
Below is a brief overview of the available units. The names were extracted from the binary and the 146 resource.
Beetlejuice
Bluetooth: enumerates devices around the infected machine.
May turn itself into a "beacon": announces the computer as a discoverable device and encode the status of the malware in device information using base64.
Microbe
Records audio from existing hardware sources. Lists all multimedia devices, stores complete device configuration, tries to select suitable recording device.
Infectmedia
Selects one of the methods for infecting media, i.e. USB disks. Available methods: Autorun_infector, Euphoria.
Autorun_infector
Creates "autorun.inf" that contains the malware and starts with a custom "open" command. The same method was used by Stuxnet before it employed the LNK exploit.
Euphoria
Create a "junction point" directory with "desktop.ini" and "target.lnk" from LINK1 and LINK2 entries of resource 146 (were not present in the resource file). The directory acts as a shortcut for launching Flame.
Limbo
Creates backdoor accounts with login "HelpAssistant" on the machines within the network domain if appropriate rights are available.
Frog
Infect machines using pre-defined user accounts. The only user account specified in the configuration resource is "HelpAssistant" that is created by the "Limbo" attack.
Munch
HTTP server that responds to "/view.php" and "/wpad.dat" requests.
Snack
Listens on network interfaces, receives and saves NBNS packets in a log file. Has an option to start only when "Munch" is started. Collected data is then used for replicating by network.
Boot_dll_loader
Configuration section that contains the list of all additional modules that should be loaded and started.
Weasel
Creates a directory listing of the infected computer.
Boost
Creates a list of "interesting" files using several filename masks.
Telemetry
Logging facilities
Gator
When an Internet connection becomes available, it connects to the C&C servers, downloads new modules, and uploads collected data.
Security
Identifies programs that may be hazardous to Flame, i.e., anti-virus programs and firewalls.
__________________ Download faster! >>>
You can help this site, by clicking on the link below to buy a Premium Account.
& Thank you for helping us. Click;
Re: Flame Virus: How to Check if You Are Infected With Malware
Since Kaspersky has revealed to the public and world at large the existence of Flame, the controllers of Flame have sent out the kill and delete command. It will now rapidly disappear in an attempt to prevent discovery of how it was done.
This malware itself will now fade away as being a problem.
__________________
You can help this site, by clicking on the link below to buy a Premium Account.
& Thank you for helping us. Click;
Flame Virus: How to Check if You Are Infected With Malware
Linear Mode
